diff --git a/.github/workflows/pr-gh-project.yaml b/.github/workflows/pr-gh-project.yaml index 50f6ecb5afc..7443e209137 100644 --- a/.github/workflows/pr-gh-project.yaml +++ b/.github/workflows/pr-gh-project.yaml @@ -5,6 +5,10 @@ on: jobs: rancher_gh_project: + permissions: + issues: write + pull-requests: write + repository-projects: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -12,8 +16,20 @@ jobs: uses: actions/setup-node@v1 with: node-version: '16.x' + - name: Read secrets + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ; + secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | APP_PEM + - name: Generate Token + id: generate-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ env.APP_ID }} + private-key: ${{ env.APP_PEM }} - name: script env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.generate-token.outputs.token }} PR_PROJECT: ${{ secrets.PR_PROJECT }} - run: node .github/workflows/scripts/pr-gh-project.js + run: node .github/workflows/scripts/pr-gh-project.js \ No newline at end of file diff --git a/.github/workflows/scripts/pr-gh-project.js b/.github/workflows/scripts/pr-gh-project.js index 3c43bbc3c14..882292c5a9d 100644 --- a/.github/workflows/scripts/pr-gh-project.js +++ b/.github/workflows/scripts/pr-gh-project.js @@ -196,7 +196,7 @@ async function processClosedAction() { console.log(' Issue is tech debt/dev validate/qa none - ignoring'); } else { // Put this in when we remove the Zube workflow - // A single workflow needs to re-open the issue after GH closes it + // A single workflow needs to re-open the issue after GH closes it // console.log(' Waiting for Zube to mark the issue as done ...'); // // Output labels